C H A P T E R  2

Access Control

Access control is a way of granting access to the system functions or components only to those users who have been authenticated by the system and who have appropriate privileges. Access control depends on the proper configuration of the general security services provided by the server.

This chapter contains these sections:


About Access Control

The Service Processor is an appliance. In an appliance model, users or management agents can access the Service Processor and its components only through authorized user interfaces. Users and agents cannot access any of the underlying operating system interfaces, and users cannot install individual software components on the Service Processor.

These sections provide details on access control:

Logging in to the System

There are two entities that can be logged in to on the system, a Service Processor and an Oracle Solaris domain.

You initially log in to the Service Processor using a serial connection from a terminal device. A terminal device can be an ASCII terminal, a workstation, or a PC. For details on serial port connections, see the Installation Guide for your server or the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.

A unique login account with the user name of default exists on the Service Processor. This account is unique in the following ways:

After initial configuration, you can log in to the Service Processor using a serial connection or an Ethernet connection. You can redirect the XSCF console to a domain and get an Oracle Solaris console. You can also log in to a domain directly using an Ethernet connection to access the Oracle Solaris OS.

When a user logs in, the user establishes a session. Authentication and user privileges are valid only for that session. When the user logs out, that session ends. To log back in, the user must be authenticated once again, and will have the privileges in effect during the new session. See Privileges for information on privileges.

Lockout Period Between Login Attempts

After multiple XSCF login failures, no further login attempts are allowed for a certain amount of time. To set the lockout period, use the setloginlockout(8) command. To view the lockout period, use the showloginlockout(8) command. For more information, see the setloginlockout(8) and showloginlockout(8) man pages.



Note - The ability to specify and view the lockout period was added in a recent XCP update. Please see the Product Notes for the firmware release running on your server (no earlier than the XCP 1080 release) for possible restrictions.


XSCF User Accounts

A user account is a record of an individual user that can be verified through a user name and password.

When you initially log in to the system, add at least one user account with a minimum of one privilege, useradm. This user with useradm privileges can then create the rest of the user accounts. For a secure log in method, enable SSH service. See To Enable or Disable the Service Processor SSH Service and to To Generate a Host Public Key for SSH Service for more information.



Note - You cannot use the following user account names, as they are reserved for system use: root, bin, daemon, adm, operator, nobody, sshd, rpc, rpcuser, ldap, apache, ntp, admin, and default.


XSCF supports multiple user accounts for log in to the Service Processor. The user accounts are assigned privileges; each privilege allows the user to execute certain XSCF commands. By specifying privileges for each user, you can control which operations each XSCF user is allowed to perform. On its own, a user account has no privileges. To obtain permission to run XSCF commands and access system components, a user must have privileges.

You can set up the Service Processor to use an LDAP server for authentication instead. To use LDAP, the Service Processor must be set up as an LDAP client. For information about setting up the Service Processor to use the LDAP service, see LDAP Service. If you are using an LDAP server for authentication, the user name must not be in use, either locally or in LDAP.

XSCF Passwords

User passwords are authenticated locally by default unless you are using an LDAP server for authentication.

Site-wide policies, such as password nomenclature or expiration dates, make passwords more difficult to guess. You can configure a password policy for the system using the setpasswordpolicy command. The setpasswordpolicy command describes the default values for a password policy.

If you have lost password access to your system, use the procedure To Log in Initially to the XSCF Console.

Privileges

Privileges allow a user to perform a specific set of actions on a specific set of components. Those components can be physical components, domains, or physical components within a domain.

The system provides the predefined privileges shown in TABLE 2-1. These are the only privileges allowed in the server. You cannot define additional privileges.


TABLE 2-1 User Privileges

Privilege

Capabilities

none

None. When the local privilege for a user is set to none, that user has no privileges, even if privileges for that user are defined in LDAP. Setting a user’s local privilege to none prevents the user’s privileges from being looked up in LDAP.

useradm

Can create, delete, disable, and enable user accounts.

Can change a user’s password and password properties.

Can change a user’s privileges.

Can view all platform states.

platadm

Can perform all Service Processor configuration other than the useradm and auditadm tasks.

Can assign and unassign hardware to or from domains.

Can perform domain and Service Processor power operations.

Can perform Service Processor failover operations on systems with more than one Service Processor.

Can perform all operations on domain hardware.

Can view all platform states.

platop

Can view all platform states.

domainadm

Can perform all operations on hardware assigned to the domain(s) on which this privilege is held.

Can perform all operations on the domain(s) on which this privilege is held.

Can view all states of the hardware assigned to the domain(s) on which this privilege is held.

Can view all states of the domain(s) on which this privilege is held.

domainmgr

Can perform domain power operations.

Can view all states of the hardware assigned to the domain(s) on which this privilege is held.

Can view all states of the domain(s) on which this privilege is held.

domainop

Can view all states of the hardware assigned to the domain(s) on which this privilege is held.

Can view all states of the domain(s) on which this privilege is held.

auditadm

Can configure auditing.

Can delete audit trail.

auditop

Can view all audit states and the audit trail.

fieldeng

Can perform all operations reserved for field engineers.


The domainadm, domainmgr, and domainop privileges must include the domain number, numbers, or range of numbers to associate with a particular user account.

A user can have multiple privileges, and a user can have privileges on multiple domains.

User privileges are authenticated locally by default. You can set up the Service Processor to use an LDAP server for authentication instead. For information about setting up the Service Processor to use the LDAP service, see LDAP Service.

If no privileges are specified for a user, no local privilege data will exist for that user; however, the user’s privileges can be looked up in LDAP, if LDAP is being used. If a user’s privileges are set to none, that user does not have any privileges, regardless of privilege data in LDAP.

XSCF Firmware Update

The Service Processor firmware can only be updated as an entire image, known as an XCP image. The image includes the XSCF firmware, OpenBoot PROM firmware, POST firmware, and miscellaneous files. Only valid images authorized by Oracle or Fujitsu can be installed.

The XCP image is installed in the Service Processor flash memory. You need platadm or fieldeng privilege to update an XCP image. More information on updating an XCP image is contained in the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.


Saving and Restoring XSCF Configuration Information

To save and restore XSCF configuration information, use the dumpconfig(8) and restoreconfig(8) commands in the XSCF shell. The commands permit you to specify the location where the information is to be stored and retrieved. For more information, see the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide and the dumpconfig(8) and restoreconfig(8) man pages.



Note - The XCP 1080 firmware is the first XCP release to support the dumpconfig(8) and restoreconfig(8) commands.



XSCF Shell Procedures for Access Control

This section describes these procedures:


procedure icon  To Log in Initially to the XSCF Console

This procedure can be used for initial login or for lost password access.

1. Log in to the XSCF console with the default login name from a terminal device connected to the Service Processor. You must have physical access to the system.


serial port log-in prompt: default

You are prompted to toggle the Operator Panel MODE switch (keyswitch) on the front of the system. The location of the MODE switch on an entry-level server is shown in FIGURE 2-1. The location of the MODE switch on a midrange server is shown in FIGURE 2-2. And the MODE switch on a high-end server is mounted horizontally rather than vertically, as shown in FIGURE 2-3. The MODE switch has two positions: Service and Locked.



Note - In the following illustrations, the three LEDs appear first, followed by the POWER button, then the MODE switch.


FIGURE 2-1 Location of the Operator Panel MODE Switch on an Entry-Level Server


Illustration of the operator panel of an entry-level server, which provides LED status indicators, a power button, and a MODE switch.

FIGURE 2-2 Location of the Operator Panel MODE Switch on a Midrange Server


Illustration of the front view of a midrange server, with an enlarged view of the operator panel, which provides LED status indicators, a power button, and a MODE switch.

FIGURE 2-3 Operator Panel on a High-end Server


Illustration of the operator panel on a high-end server, which provides LED status indicators, a power button, and a MODE switch.

You must toggle the MODE switch within one minute of the login prompt or the login process times out.

2. Toggle the MODE switch using one of two methods, as follows:

When the toggling is successful, you are logged in to the Service Processor shell as the account default.


XSCF>

As this account has useradm and platadm privileges. you can now configure the Service Processor or reset passwords.

When the shell session ends, the default account is disabled. When an account is disabled, it cannot be used to log in at the console. It will then not be possible to login using this account again except by following this same procedure.



Note - You can use the setupplatform(8) command rather than the following procedures to perform Service Processor installation tasks. For more information, see the setupplatform(8) man page.



procedure icon  To Configure an XSCF Password Policy

1. Log in to the XSCF console with useradm privileges.

2. Type the setpasswordpolicy command:


XSCF> setpasswordpolicy option

where option can be one or more of the options described in the setpasswordpolicy(8) man page.



Note - The password policy applies only to users added after the setpasswordpolicy(8) command has been executed.


3. Verify that the operation succeeded by typing the showpasswordpolicy command.


procedure icon  To Add an XSCF User Account

When you add a new user account, the account has no password, and cannot be used for logging in until the password is set or Secure Shell public key authentication is enabled for the user.

1. Log in to the XSCF console with useradm privileges.

2. Type the adduser command:


XSCF> adduser user

where user is the user name you want to add. (See the adduser(8) man page for rules about the user name.) If you do not specify a User ID (UID) number with the -u UID option, one is automatically assigned, starting from 100.

3. Verify that the operation succeeded by typing the showuser command.


procedure icon  To Create a Password for an XSCF User

Any XSCF user can set his or her own password. Only a user with useradm privileges can set another user’s password.

1. Log in to the XSCF console with useradm privileges.

2. Type the password command:


XSCF> password 
Please enter your password:

See the password(8) man page for rules about passwords. When typed without an argument, password sets the current user’s password. To set someone else’s password, include that person’s user name, for example:


XSCF> password user
Please enter your password: 

where user is the user name you want to set the password for. You are prompted to enter, and then reenter, the password.


procedure icon  To Assign Privileges to an XSCF User

1. Log in to the XSCF console with useradm privileges.

2. Type the setprivileges command:


XSCF> setprivileges user privileges

where user is the user name to assign privileges for, and privileges is one or more privileges, separated by a space, to assign to this user. The domainadm, domainmgr, and domainop privileges must include the domain number, numbers, or range of numbers to associate with a particular user account; for example,


XSCF> setprivileges user domainadm@1-4, 6, 9

Valid privileges are listed in TABLE 2-1.


procedure icon  To Display the Version of Installed Firmware

1. Log in to the XSCF console with platadm or fieldeng privileges.

2. Type the version command:


XSCF> version -c xcp

The XCP version number is displayed. Command output example is:


XSCF> version -c xcp
XSCF#0(Active)
XCP0 (Current): 1080
...


Related Information

For additional information on this chapter’s topics, see:


Resource

Information

man pages

password(8), version(8), adduser(8), deleteuser(8), enableuser(8), disableuser(8), showuser(8), setpasswordpolicy(8), setprivileges(8), showpasswordpolicy(8), setlookup(8), setldap(8), showldap(8)

SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide

Access control, user accounts, passwords, firmware update